The New Identity Theft Red Flags Rule: Does it Raise “Red Flags” for Information Security?

Also, please note the following strangely worded phrase: “Any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor.” Here, the regulators are seeking to emphasize that a “covered account” does not necessarily involve an account held by an individual customer. Indeed, the agencies explicitly (and quite accurately) intend to include business customers-especially small businesses-as potential victims of identity theft. Unlike Gramm-Leach-Bliley and HIPAA, the Red Flags Rule does not focus entirely upon “natural persons,” or individual human beings. The authors of the Rule recognize that theft of identity can occur to businesses as well as people. Therefore, a “covered account” may include an account used by a business or other institutional customer.

The scope and intentions of the Rule are remarkably broad: Any financial institution, store, or merchant from which individual or business customers purchase goods or services in multiple payments must develop a written program intended to prevent or mitigate identity theft.

So What is the Role of Information Security?

A funny thing happened between the original drafting of the Rule and its final formulation: Information security concerns lost their status as “Red Flags.”

When the agencies first drafted their regulations, they wrote a preamble stating that certain security-related events-such as phishing and data breaches-were “precursors,” or preconditions, to possible identity theft. The proposed Rule maintained that these “precursors” were genuine Red Flags. This emphasis was entirely consistent with the report of the President’s Task Force on Identity Theft. However, when the proposed Rule was made available for reaction and response by interested parties, numerous “industry commenters” complained that Red Flags must not merely indicate the “possible risk of identity theft”; rather, a legitimate Red Flag must be an indicator of “significant, substantial, or the probable risk of identity theft.” The agencies accepted this rationale and relegated information security-related events to the status of “precursors” to theft. They were not actual Red Flags.